Merge branch 'rs-gem-security' into 'master'

Gem updates for security issues - sprockets (rails dependency, but we need to specify a version to pull in fixes) - sass-rails (no security issues, but required an update to meet new sprockets version requirement) - rest-client (coveralls dependency) See merge request !915

Merge branch 'rs-gem-security' into 'master'
Gem updates for security issues - sprockets (rails dependency, but we need to specify a version to pull in fixes) - sass-rails (no security issues, but required an update to meet new sprockets version requirement) - rest-client (coveralls dependency) See merge request !915
2cbf4528 · Dmitriy Zaporozhets · 9c756f93 · 3078b13e · 2cbf4528 · 2cbf4528
Commit 2cbf4528 authored Jul 02, 2015 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 22 deletions

Gemfile Gemfile +11 -1

Gemfile.lock Gemfile.lock +30 -21

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -2,6 +2,10 @@ source "https://rubygems.org"
 gem 'rails', '4.1.11'
+# Specify a sprockets version due to security issue
+# See https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
+gem 'sprockets', '~> 2.12.3'
 # Default values for AR models
 gem "default_value_for", "~> 3.0.0"
@@ -181,7 +185,7 @@ gem 'mousetrap-rails'
 # Detect and convert string character encoding
 gem 'charlock_holmes'
-gem "sass-rails", '~> 4.0.2'
+gem "sass-rails", '~> 4.0.5'
 gem "coffee-rails"
 gem "uglifier"
 gem 'turbolinks', '~> 2.5.0'
@@ -234,6 +238,12 @@ group :development, :test do
  gem 'rubocop', '0.28.0', require: false
  gem 'spinach-rails'
+  # rest-client is a coveralls dependency and not used directly in GitLab, but
+  # we specify a version here to pick up some security fixes.
+  # See https://github.com/rest-client/rest-client/issues/369
+  # and http://www.osvdb.org/show/osvdb/117461
+  gem 'rest-client', '~> 1.8.0'
  # Prevent occasions where minitest is not bundled in packaged versions of ruby (see #3826)
  gem 'minitest', '~> 5.3.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -113,12 +113,12 @@ GEM
    colorize (0.5.8)
    columnize (0.9.0)
    connection_pool (2.1.0)
-    coveralls (0.7.0)
+    coveralls (0.8.2)
-      multi_json (~> 1.3)
+      json (~> 1.8)
-      rest-client
+      rest-client (>= 1.6.8, < 2)
-      simplecov (>= 0.7)
+      simplecov (~> 0.10.0)
-      term-ansicolor
+      term-ansicolor (~> 1.3)
-      thor
+      thor (~> 0.19.1)
    crack (0.4.2)
      safe_yaml (~> 1.0.0)
    creole (0.3.8)
@@ -149,6 +149,8 @@ GEM
    diff-lcs (1.2.5)
    diffy (3.0.3)
    docile (1.1.5)
+    domain_name (0.5.24)
+      unf (>= 0.0.5, < 1.0.0)
    doorkeeper (2.1.3)
      railties (>= 3.2)
    dotenv (0.9.0)
@@ -322,6 +324,8 @@ GEM
    html-pipeline (1.11.0)
      activesupport (>= 2)
      nokogiri (~> 1.4)
+    http-cookie (1.0.2)
+      domain_name (~> 0.5)
    http_parser.rb (0.5.3)
    httparty (0.13.3)
      json (~> 1.8)
@@ -377,6 +381,7 @@ GEM
    net-scp (1.2.1)
      net-ssh (>= 2.6.5)
    net-ssh (2.9.2)
+    netrc (0.10.3)
    newrelic_rpm (3.9.4.245)
    nokogiri (1.6.6.2)
      mini_portile (~> 0.6.0)
@@ -525,8 +530,10 @@ GEM
    request_store (1.0.5)
    rerun (0.10.0)
      listen (~> 2.7, >= 2.7.3)
-    rest-client (1.6.7)
+    rest-client (1.8.0)
-      mime-types (>= 1.16)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 3.0)
+      netrc (~> 0.7)
    rinku (1.7.3)
    rotp (1.6.1)
    rouge (1.7.7)
@@ -577,10 +584,10 @@ GEM
    sanitize (2.1.0)
      nokogiri (>= 1.4.4)
    sass (3.2.19)
-    sass-rails (4.0.3)
+    sass-rails (4.0.5)
      railties (>= 4.0.0, < 5.0)
-      sass (~> 3.2.0)
+      sass (~> 3.2.2)
-      sprockets (~> 2.8, <= 2.11.0)
+      sprockets (~> 2.8, < 3.0)
      sprockets-rails (~> 2.0)
    sawyer (0.6.0)
      addressable (~> 2.3.5)
@@ -608,11 +615,11 @@ GEM
      ice_cube (= 0.11.1)
      sidekiq (>= 3.0.0)
    simple_oauth (0.1.9)
-    simplecov (0.9.0)
+    simplecov (0.10.0)
      docile (~> 1.1.0)
-      multi_json
+      json (~> 1.8)
-      simplecov-html (~> 0.8.0)
+      simplecov-html (~> 0.10.0)
-    simplecov-html (0.8.0)
+    simplecov-html (0.10.0)
    sinatra (1.4.4)
      rack (~> 1.4)
      rack-protection (~> 1.4)
@@ -637,12 +644,12 @@ GEM
      spring (>= 0.9.1)
    spring-commands-teaspoon (0.0.2)
      spring (>= 0.9.1)
-    sprockets (2.11.0)
+    sprockets (2.12.4)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.3.1)
+    sprockets-rails (2.3.2)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      sprockets (>= 2.8, < 4.0)
@@ -657,8 +664,8 @@ GEM
    teaspoon-jasmine (2.2.0)
      teaspoon (>= 1.0.0)
    temple (0.6.7)
-    term-ansicolor (1.2.2)
+    term-ansicolor (1.3.2)
-      tins (~> 0.8)
+      tins (~> 1.0)
    terminal-table (1.4.5)
    test_after_commit (0.2.2)
    thin (1.6.1)
@@ -680,7 +687,7 @@ GEM
      mime-types (~> 1.19)
      multi_json (~> 1.7)
      twitter-stream (~> 0.1)
-    tins (0.13.1)
+    tins (1.5.4)
    trollop (2.1.2)
    turbolinks (2.5.3)
      coffee-rails
@@ -826,12 +833,13 @@ DEPENDENCIES
  redis-rails
  request_store
  rerun (~> 0.10.0)
+  rest-client (~> 1.8.0)
  rqrcode-rails3
  rspec-rails (~> 3.3.0)
  rubocop (= 0.28.0)
  rugments (~> 1.0.0.beta8)
  sanitize (~> 2.0)
-  sass-rails (~> 4.0.2)
+  sass-rails (~> 4.0.5)
  sdoc
  seed-fu
  select2-rails
@@ -849,6 +857,7 @@ DEPENDENCIES
  spring-commands-rspec (~> 1.0.0)
  spring-commands-spinach (~> 1.0.0)
  spring-commands-teaspoon (~> 0.0.2)
+  sprockets (~> 2.12.3)
  stamp
  state_machine
  task_list (= 1.0.2)